Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortinetBeginner
New Contributor III

Created on ‎07-27-2024 12:50 PM

Websites are not loading - Fortigate 120g

Hello everyone,

 

We are using a Fortigate 120g. However, we can't open any website.

 

Ping and DNS works on the client and on the fortigate and the packets are forwarded on the fortigate without dropping any packets.

 

When we connect directly to the Fortigate 120g, we can access the Internet and open web pages without any delay.

 

When we disconnect the Fortigate 120g and connect our old firewall, everything works fine right away.

 

What we tried:

Configuring port speed 1000Full on our Cisco CL9200 switch and on the Fortigate 120g.


Do you have any idea how we can fix the problem?

 

Thank you in advance!

 

Best regards

Labels:
3608
0 Kudos
1 Solution
FortinetBeginner
New Contributor III

Created on ‎08-02-2024 01:41 AM

Ok, we fixed the problem.

It was a DNS problem.

Ping worked and DNS names were resolved, but web pages did not load.

With public DNS servers on the client, the sites loaded without delay.

With our internal DNS servers, the sites did not load.

This problem was caused by a subnet that was configured on the Mgmt port on the firewall.

This subnet overlapped with our internal DNS server subnet.

 

We found this out by performing the following steps:

 

Ping from firewall to internal DNS server works.

Ping from DNS server to firewall didn't work.

nslookup www.google.com internal DNS server

like nslookup www.google.com 172.1.1.10 (we got two timeouts before the DNS name was resolved)

 

I hope this solution helps someone.

 

 

Regards

Ralf

View solution in original post

2631
0 Kudos
36 REPLIES 36
salemneaz
Staff
Staff
In response to FortinetBeginner

Created on ‎07-28-2024 07:39 AM

Hi Rafi,

Is this happening to all the websites or some of them.

Next Steps Listed below:

Disable all UTM inspection at the Policy including certificate inspection --- Important

Bypass Switch try with direct connection. ---- Important

Press F12 and that will bring up the inspection at the web browser.

Run a wireshark from the PC itself see if it is a fragmentation  issue.

Salem
987
FortinetBeginner
New Contributor III
In response to salemneaz

Created on ‎07-28-2024 07:51 AM

Hi Salem,

 

Thanks for your help!

 

This happens to all websites and cients in our network.

UTM checking is disabled.

Bypass switch works fine. No delay in loading sites.

 

I can check the inspection tomorrow and will post the result here, but I don't think it's a fragmentation issue because we have this problem on all clients and when I change my Fortigate back to my Sonicwall everything works.

 

I'll be very grateful if you have any further advice for me.

 

Ralf

984
0 Kudos
salemneaz
Staff
Staff
In response to FortinetBeginner

Created on ‎07-28-2024 07:55 AM

Hi Ralf,

Check the switch port speed, half duplex and full duplex mode, check for STP loops or broadcast issues, make sure that you not getting a IP address conflict, configure port security example steps can be found here https://networklessons.com/switching/how-to-configure-port-security-on-cisco-switch

Salem
979
FortinetBeginner
New Contributor III
In response to salemneaz

Created on ‎07-28-2024 08:01 AM

Hi Salem,

 

STP is enabled.

Both ports on the firewall and switch are configured to 1000Full (no auto negotiation).

No IP address conflict. We have already checked this.

Port security is enabled on the Cisco switch.

I'm struggeling very hard on this problem...

I appreciate any help and idea on this issue.

 

Ralf

 

976
0 Kudos
FortinetBeginner
New Contributor III
In response to salemneaz

Created on ‎07-28-2024 08:19 AM

FYI: We are facing a strange behavior. We are not able to ping from any client through the firewall when we restart the firewall until we ping from the Fortigate to our core switch. The ping from Fortigate to our core switch does not work on the first try. On the second try, it works. At this moment, the ping from the client through the firewall is working.


Does anyone know what this behavior means?

 

Ralf

941
0 Kudos
salemneaz
Staff
Staff
In response to FortinetBeginner

Created on ‎07-28-2024 08:39 AM

Share me the FortiGate interface configuration that is connected with the Switch also which VLAN are you passing. It looks like a gateway resolve issue to me.

Salem
926
salemneaz
Staff
Staff
In response to salemneaz

Created on ‎07-28-2024 08:40 AM

The Ideal flow should be like this :

 

Host----------Access Port (VLAN-10)--Switch--Trunk Port--------(gateway)Foortigate--Internet

Salem
924
FortinetBeginner
New Contributor III
In response to salemneaz

Created on ‎07-28-2024 08:57 AM

Please ignore that the LAN port is not connected because we are still using the old firewall.

 

LAN-Port-Configuration.PNG

 

This is a small picture of the configuration of the network:

 

Network.png

 

Ralf

916
0 Kudos
FortinetBeginner
New Contributor III
In response to salemneaz

Created on ‎07-28-2024 09:04 AM

Yes, thats how we configured it.

908
0 Kudos
salemneaz
Staff
Staff
In response to FortinetBeginner

Created on ‎07-28-2024 09:06 AM

Can you do a trace route from the Host to the Firewall VLAN gateway and see where the traffic is getting dropped

Salem
854
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.